QPID-474 Make sure that our SASL servers actually, y'know, validate the password

AmqPlainSaslServer.java: Actually check password
PlainSaslServer.java: Actually check password
SaslServerTestCase.java: base test case for testing our SASL impls
AMQPlainSaslServerTest.java: test the AMQPlainSaslServer dealie
PlainSaslServerTest.java: test the PlainSaslServer
TestPrincipalDatabase.java: Mockish TestPrincipalDatabase

git-svn-id: https://svn.apache.org/repos/asf/incubator/qpid/trunk/qpid@674510 13f79535-47bb-0310-9956-ffa450edef68

6 files changed, 204 insertions, 7 deletions

diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/amqplain/AmqPlainSaslServer.java b/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/amqplain/AmqPlainSaslServer.java
index 7842f376fb..9f56b8521a 100644
--- a/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/amqplain/AmqPlainSaslServer.java
+++ b/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/amqplain/AmqPlainSaslServer.java
@@ -68,12 +68,15 @@ public class AmqPlainSaslServer implements SaslServer
             PasswordCallback passwordCb = new PasswordCallback("prompt", false);
             // TODO: should not get pwd as a String but as a char array...
             String pwd = (String) ft.getString("PASSWORD");
-            passwordCb.setPassword(pwd.toCharArray());
             AuthorizeCallback authzCb = new AuthorizeCallback(username, username);
             Callback[] callbacks = new Callback[]{nameCb, passwordCb, authzCb};
             _cbh.handle(callbacks);
-            _complete = true;
-            if (authzCb.isAuthorized())
+            String storedPwd = new String(passwordCb.getPassword());
+            if (storedPwd.equals(pwd))
+            {
+                _complete = true;
+            }
+            if (authzCb.isAuthorized() && _complete)
             {
                 _authorizationId = authzCb.getAuthenticationID();
                 return null;
diff --git a/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainSaslServer.java b/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainSaslServer.java
index 36aeb77fe1..45fb9a4e42 100644
--- a/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainSaslServer.java
+++ b/java/broker/src/main/java/org/apache/qpid/server/security/auth/sasl/plain/PlainSaslServer.java
@@ -72,17 +72,19 @@ public class PlainSaslServer implements SaslServer
 
             // we do not care about the prompt but it throws if null
             NameCallback nameCb = new NameCallback("prompt", authzid);
-            // we do not care about the prompt but it throws if null
             PasswordCallback passwordCb = new PasswordCallback("prompt", false);
             // TODO: should not get pwd as a String but as a char array...
             int passwordLen = response.length - authcidNullPosition - 1;
             String pwd = new String(response, authcidNullPosition + 1, passwordLen, "utf8");
-            passwordCb.setPassword(pwd.toCharArray());
             AuthorizeCallback authzCb = new AuthorizeCallback(authzid, authzid);
             Callback[] callbacks = new Callback[]{nameCb, passwordCb, authzCb};
             _cbh.handle(callbacks);
-            _complete = true;
-            if (authzCb.isAuthorized())
+            String storedPwd = new String(passwordCb.getPassword());
+            if (storedPwd.equals(pwd))
+            {
+                _complete = true;
+            }
+            if (authzCb.isAuthorized() && _complete)
             {
                 _authorizationId = authzCb.getAuthenticationID();
                 return null;
diff --git a/java/broker/src/test/java/org/apache/qpid/server/security/auth/sasl/SaslServerTestCase.java b/java/broker/src/test/java/org/apache/qpid/server/security/auth/sasl/SaslServerTestCase.java
new file mode 100644
index 0000000000..6c1b7f2a1c
--- /dev/null
+++ b/java/broker/src/test/java/org/apache/qpid/server/security/auth/sasl/SaslServerTestCase.java
@@ -0,0 +1,45 @@
+package org.apache.qpid.server.security.auth.sasl;
+
+import javax.security.sasl.SaslException;
+import javax.security.sasl.SaslServer;
+
+import org.apache.qpid.server.security.auth.database.PrincipalDatabase;
+
+import junit.framework.TestCase;
+
+public abstract class SaslServerTestCase extends TestCase
+{
+    protected SaslServer server;
+    protected String username = "u";
+    protected String password = "p";
+    protected String notpassword = "a";
+    protected PrincipalDatabase db = new TestPrincipalDatabase();
+    
+    protected byte[] correctresponse;
+    protected byte[] wrongresponse;
+    
+    public void testSucessfulAuth() throws SaslException
+    {
+        byte[] resp = this.server.evaluateResponse(correctresponse);
+        assertNull(resp);
+    }
+    
+    public void testFailAuth()
+    {
+        boolean exceptionCaught  = false;
+        try
+        {
+            byte[] resp = this.server.evaluateResponse(wrongresponse);
+        }
+        catch (SaslException e)
+        {
+            assertEquals("Authentication failed", e.getCause().getMessage());
+            exceptionCaught = true;
+        }
+        if (!exceptionCaught)
+        {
+            fail("Should have thrown SaslException");
+        }
+    }
+    
+}
diff --git a/java/broker/src/test/java/org/apache/qpid/server/security/auth/sasl/TestPrincipalDatabase.java b/java/broker/src/test/java/org/apache/qpid/server/security/auth/sasl/TestPrincipalDatabase.java
new file mode 100644
index 0000000000..74a5112411
--- /dev/null
+++ b/java/broker/src/test/java/org/apache/qpid/server/security/auth/sasl/TestPrincipalDatabase.java
@@ -0,0 +1,65 @@
+package org.apache.qpid.server.security.auth.sasl;
+
+import java.io.IOException;
+import java.security.Principal;
+import java.util.List;
+import java.util.Map;
+
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.login.AccountNotFoundException;
+
+import org.apache.qpid.server.security.auth.database.PrincipalDatabase;
+import org.apache.qpid.server.security.auth.sasl.AuthenticationProviderInitialiser;
+
+public class TestPrincipalDatabase implements PrincipalDatabase
+{
+
+    public boolean createPrincipal(Principal principal, char[] password)
+    {
+        // TODO Auto-generated method stub
+        return false;
+    }
+
+    public boolean deletePrincipal(Principal principal) throws AccountNotFoundException
+    {
+        // TODO Auto-generated method stub
+        return false;
+    }
+
+    public Map<String, AuthenticationProviderInitialiser> getMechanisms()
+    {
+        // TODO Auto-generated method stub
+        return null;
+    }
+
+    public Principal getUser(String username)
+    {
+        // TODO Auto-generated method stub
+        return null;
+    }
+
+    public List<Principal> getUsers()
+    {
+        // TODO Auto-generated method stub
+        return null;
+    }
+
+    public void setPassword(Principal principal, PasswordCallback callback) throws IOException,
+            AccountNotFoundException
+    {
+        callback.setPassword("p".toCharArray());
+    }
+
+    public boolean updatePassword(Principal principal, char[] password) throws AccountNotFoundException
+    {
+        // TODO Auto-generated method stub
+        return false;
+    }
+
+    public boolean verifyPassword(String principal, char[] password) throws AccountNotFoundException
+    {
+        // TODO Auto-generated method stub
+        return false;
+    }
+
+}
diff --git a/java/broker/src/test/java/org/apache/qpid/server/security/auth/sasl/amqplain/AMQPlainSaslServerTest.java b/java/broker/src/test/java/org/apache/qpid/server/security/auth/sasl/amqplain/AMQPlainSaslServerTest.java
new file mode 100644
index 0000000000..6245064bf7
--- /dev/null
+++ b/java/broker/src/test/java/org/apache/qpid/server/security/auth/sasl/amqplain/AMQPlainSaslServerTest.java
@@ -0,0 +1,43 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+
+package org.apache.qpid.server.security.auth.sasl.amqplain;
+
+import org.apache.qpid.framing.FieldTable;
+import org.apache.qpid.framing.FieldTableFactory;
+import org.apache.qpid.server.security.auth.sasl.SaslServerTestCase;
+import org.apache.qpid.server.security.auth.sasl.UsernamePasswordInitialiser;
+
+public class AMQPlainSaslServerTest extends SaslServerTestCase
+{
+    protected void setUp() throws Exception
+    {
+        UsernamePasswordInitialiser handler = new AmqPlainInitialiser();
+        handler.initialise(db);
+        this.server = new AmqPlainSaslServer(handler.getCallbackHandler());
+        FieldTable table = FieldTableFactory.newFieldTable();
+        table.setString("LOGIN", username);
+        table.setString("PASSWORD", password);
+        correctresponse = table.getDataAsBytes(); 
+        table.setString("PASSWORD", notpassword);
+        wrongresponse = table.getDataAsBytes(); 
+    }
+}
diff --git a/java/broker/src/test/java/org/apache/qpid/server/security/auth/sasl/plain/PlainSaslServerTest.java b/java/broker/src/test/java/org/apache/qpid/server/security/auth/sasl/plain/PlainSaslServerTest.java
new file mode 100644
index 0000000000..5dd51250dc
--- /dev/null
+++ b/java/broker/src/test/java/org/apache/qpid/server/security/auth/sasl/plain/PlainSaslServerTest.java
@@ -0,0 +1,39 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+
+package org.apache.qpid.server.security.auth.sasl.plain;
+
+import org.apache.qpid.server.security.auth.sasl.SaslServerTestCase;
+import org.apache.qpid.server.security.auth.sasl.UsernamePasswordInitialiser;
+
+public class PlainSaslServerTest extends SaslServerTestCase
+{
+    
+    protected void setUp() throws Exception
+    {
+        UsernamePasswordInitialiser handler = new PlainInitialiser();
+        handler.initialise(db);
+        this.server = new PlainSaslServer(handler.getCallbackHandler());
+        correctresponse = new byte[]{0x0, (byte) username.charAt(0), 0x0, (byte) password.charAt(0)};
+        wrongresponse = new byte[]{0x0,(byte) username.charAt(0), 0x0, (byte) notpassword.charAt(0)};
+    }
+    
+}